Insights
With 40 Gbit/s: High-Speed Data Center Interconnect with FPGA Technology
To ensure the security, high availability and redundancy of datacenters, IT security experts at genua are developing high-speed VPN gateways based on FPGA. The aim is to achieve extremely fast signal processing combined with maximum trustworthiness of the hardware. In this interview, Andreas Fiessler, Head of FPGA Development at genua, explains how Field Programmable Gate Arrays (FGPAs) are being used for high-performance packet processing in the project genuscreen 40G VPN.
Why Is Trust a Key Factor in Datacenter Interconnect?
Andreas Fiessler: For us as security manufacturers, trust is always the key focus of all of our products. Even with hardware-accelerated components, I could resort to ready-made solutions. The problem is that I can't see inside them. As a result, every backdoor and every functionality could be concealed there, installed by other people and hidden from sight. And I can't prove it, I can't rule it out.
Unfortunately, that is a very realistic scenario. In the past, the possibility of such a thing was only discussed. But in just the last few months, we have seen from incidents such as supply chain attacks that these things actually happen. In this respect, developing FPGAs myself is an advantage. I can determine the wiring myself. And, of course, I can trust myself and prove that what's happening there is only what I want to happen.
What Advantages do FPGAs offer for Data Center Interconnect?
Andreas Fiessler: The main motivation is the speed. With FPGA-based hardware acceleration, I can achieve far higher speeds of network packet processing than would be possible on classic software-based systems. With our software-based solutions, we are currently achieving approximately 1 to 10 Gbit/s for encryption, depending on the scenario's complexity. It largely depends on what I do with the packets and how much pre- and post-processing I need. With hardware acceleration, I have completely different speed ranges, currently 40 Gbit/s, but 100, 200 or even 800 Gbit/s is a realistic aim.
At the moment, we primarily intend this to be used for data center interconnect – where the number of connections is low and the speed requirements are high. This means networking multiple data center locations.
How Are FPGAs Used in the genuscreen 40G VPN Appliance?
Andreas Fiessler: Our new genuscreen 40G VPN Appliance is an FPGA-expanded version of the existing genuscreen, a VPN gateway that we have accelerated using the FPGA. On the FPGA, we use offloading mechanisms to accelerate the IPsec VPN connection, currently to 40 Gbit/s full duplex. We can guarantee low latency, currently of 20 μs, for packet processing.
Here (image on the left), we can see an open genuscreen with the FPGA expansion card. On a normal genuscreen, the following would happen: We would have our network interfaces, and the network traffic would be processed by the normal CPU via a software-based approach. I would also be able to install larger network cards. However, at some point, an inherent maximum would be reached due to the overhead associated with software-based packet processing. In this scenario, I now have an FPGA-based card instead. It is configured via the normal CPU, via the host system.
However, unlike with normal processing, I can process the packets directly on the FPGA. This means that my traffic goes in here, is processed and comes back out directly on the other interface, without an overhead. As a result, I easily achieve higher speeds.
What Is It about FPGA Technology that Excites You?
Andreas Fiessler: FPGA development is just fundamentally different than software development. The way of thinking is different, a bit special, but the results speak for themselves. You simply have far more options and goals that you can reach.
